Chapter 7: Network Intrusion Detection

Network Intrusion Detection

  • An IDS can have an enormous positive impact on the overall security of your organization.
  • Main function or focus is to identifying attacks and security incident.
  • Could also implement countermeasures.

Network Intrusion Detection Basics

  • Designed to examine network traffic to identify threats by detecting scans, probes, and attacks.
  • Goal: Assist you in ensuring that systems can handle those threats properly.
  • By detecting attacks, it enables you to identify and react to threats against your environment, as well as threats that your hosts might be directing at other networks
  • Types
  1. Network IDS
  • Sniffs traffic and analyzes it, searching for various signatures that could indicate a scan or probe, reconnaissance activity, or an attempt to exploit a vulnerability
  • Don’t interfere with traffic
  • Signature-based is the most common
  • Starting to make active responses to suspicious traffic, such as termination suspicious TCP connections
  • A network IDS signature is a pattern that you are looking for in traffic.
  • Use sensors to sniff traffic and analyze it
  • May implement active responses.
  1. Host Based IDS
  2. Focuses on detecting attacks against a particular host
  3. Anomaly-based – relies on statistical analysis to identify traffic that falls outside that which is normally seen in this environment
  4. Log analyzers – monitor OS and application logs
  5. File integrity software – if particular files are altered
  • Need for Intrusion Detection
  • Without IDS you are unaware of many attacks that occur
  • Gain information on about the attack and able to fix it and keep it from happening again
  • Lets you know about attacks that do not do any damage – extracting Password files
  • Attacks involve multiple steps or phases – first scan
  • Unable to detect multi-stage attacks
  • After launching scan – the second set of queries could occur hours or days or within seconds (Specifically designed attack)
  • If buffer overflow exploits are successful – they potentially could gain root privilege
  • Detects reconnaissance scans, notifying security personnel that such activity is taking place and that future attacks on the targeted systems are likely

Network IDS Signatures

-A network IDS signature is a pattern that you are looking for in traffic.

-If traffic matches a pattern, then an alert will be generated, or the event is otherwise recorded

-Simple EX: Land attack

  • The source and destination IP addresses in a packet are the same – Violates standard
  • Older OS could not properly handle such packets

-Some signatures are considerably more complicated than Land attack.

-Many signatures are protocol or application specific (EX pertain only to DNS traffic)

-Some IDS will focus on long sequences of code from published exploits.

-Where other IDS systems actually perform full protocol analysis, examining and validating the header and payload values of each packet. (more resource intensive - more robust signature solution)

-Most intrusion detection vendors update their signature as new exploits are found.

How Signatures work?

-Nimba worm

  • Infects a web server, it sends a set of HTTP request
  • GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
  • The first request is to exploit a Unicode-related vulnerability ability in certain unpatched Microsoft IIS servers to gain unauthorized privileges.

Detection Techniques

  1. Write a simple text-matching signature that would look in the TCP payload for /scripts/..%c0%af../ in a URL (more precisely, in the payload of a TCP packet that a client sends to a server’s port 80).
  2. %c0%af is Unicode for “/”.
  3. Issues several GET requests with slightly different values – need a separate signature for each one
  4. Decode the request, substituting a slash for the %c0%af sequence, and then analyzing the validity of the decoded URL. More resource intensive

False Positives and False Negatives

  • This is a problem with signature and IDSs.
  • If an attacker slightly modifies the attack, the signature might not be able to identify it at all
  • False Positive

-Sensor classifies benign activity as an attack.

-By selecting a solid IDS product and tuning your sensors, you can reduce false positives, but you can’t completely eliminate them

  • False Negative

-Signature fails to generate an alert when its associated attack occurs

-Get less attention because you usually have not way of knowing that they have occurred

Developing Signatures that Minimizes False Positives and Negatives

-If you search for “cmd.exe”, it might match many other strings that contain this string like “cmd.exe-analysis.html”.

  1. Very general signatures – matches many different attack attempts
  2. Very Specific signatures – triggers fewer false positives than the more general signature – reducing false positives often comes at the expense of increasing false negatives
  3. More complex signatures – usually better than simple text-mathing signatures, which are unable to identify most variations on attacks

-Moral: Reducing false positives come at the expense of increasing false negatives.

Detecting IDS Evasion Techniques

-attackers have many methods of altering their code to avoid IDS detection

-replace a character with its hex or Unicode equivalent

-If we were looking for the Nimba worm by searching for “cmd.exe”, the attacker could rewrite the code at “%65xe”, where “65” = “e”.

-Perform hex decoding before performing signature comparisons would determine that this string matches

Analyzing, Logging, and Reporting

-If traffic matches signature, it logs the pertinent aspects of the traffic or generates an alert

-Logging is done to a database to query later.

-Alerts can be delivered to intrusion analysts in a variety of ways, including messages on the analyst console, emails, SNMP traps,,, etc depending on the product being used

-Reporting is another key element of intrusion detection

-If you have multiple sensors, you want all data to be collected in one place because it’s more convenient to view and easier to back up (DataBase) – further queries and reporting

Intrusion Detection Software

-Snort, Shadow, Cisco Secure, Enterasys Dragon, ISS RealSecure, NFR Security NID, and etc.

-Functionality varies widely.

  • Some sensors may analyze traffic and collect statistical information to detect policy violations.
  • Tiered solutions – involve deploying multiple IDS sensors on various network segments – able to correlate events from all the sensor’s data , can make alert decision
  • Some can process and correlate data from various IDS sensors, firewalls, and other hosts.

-Distributed IDSs – administrators from organizations all over the world submit logs to a distributed IDS service from their own IDS sensors, firewalls, and other devices – wealth of data to use for it intrusion analysis

-Outsourced Intrusion Detection System Monitoring – 24- hour monitoring of you IDS sensors and alert your staff in case of attack

Roles of Network IDS in a Perimeter Defense

  1. Identifying Weakness

-Helps identify security weaknesses and vulnerabilities and reduce or eliminate them

-Security Auditing – use the IDS logs and alerts to identify weaknesses in network defense

-Policy Violations –receive alerts when certain protocols or well-known port numbers are used

  1. Detecting Attacks from your own Hosts

-think of network IDS sensors as identifying suspicious activity that enters a network forma the Internet, it’s important to consider that you can also use IDS sensors to identify outgoing attacks

  1. Incident Handling and Forensics

-It can show you what hosts were attacked and what attacks were used against them

-It gives you the basic information you need when starting to handle an incident, and it indicates other hosts that might have related data

-Forensic uses – looking at logs to investigate an incident

  1. Complementing other Defense Components

-To correlate the activity that individual hosts might see

-Protocol and Application Analysis – IDS sensors are even capable of doing full protocol analysis, which means that they can examine the contents of an entire session as it occurs and alery you it the traffic does not match it expectations

-Active Responses – When a sensor determines tha a serious attack is occurring, it changes its own configuration, or that of other network devices, to respond differently to traffic from the attacking host

-Send active responses, like a reset packet.

  • Problem: Is that most people spoof IP addresses.

IDS Sensor Placement

  • Deploy multiple network sensors.
  • You should deploy multiple IDS sensors
  • Each sensor generally monitors a single network segment.
  • Deploying more intrusion detection sensors usually produces better results, because you can tune each of them to the traffic that you typically see on that segment
  • Another reason for using multiple sensors is the fault tolerance of your IDS
  • Place sensors near filtering devices.
  • Often paired with firewalls or packet filters, near Internet access points
  • If possible, deploy sensors on both sides of the firewall.
  • If not possible to deploy sensors on both sides of the firewall
  • Outside
  • Are more likely to be attacked.
  • Detect all attacks, including those that don’t get through the filtering
  • Will process more traffic than a sensor on an inside network.
  • Inside
  • Will generate attacks that actually get into the network.
  • Can help you determine whether your filtering device is misconfigured.

Placing Sensors on the Internal Network

  • Placed along the network perimeter only, typically around Internet firewalls and packet filters
  • Working with Encryption
  • When planning network IDS sensor placement, you must consider how to deal with encrypted network traffic, such as VPN connection
  • Processing in high-traffic situations
  • The amount of traffic that IDS sensors can process is dependent on many factors, including what product is being used, which protocols or applications are most commonly used, and for which signatures the sensor has been directed to look
  • Configuring Switches correctly
  • Switches must have their spanning ports configured properly for network IDS sensors to see all the traffic that is passing through the switch
  • Using an IDS management network
  • Network segments used for communication between IDS sensors.
  • The sensor will have two cards one connected to the internal network and the other connected to the sensor network (transferring IDS data an configuration updates).
  • Maintaining Sensor Security
  • Harden your IDS sensors to make the risk of compromise as low as possible

Using Firewall/IDS Hybrid Solutions

  • Basically putting the firewall and IDS in the same box.
  • Hogwash – hybrid device – filtering IDS or gateway IDS
  • That you are getting an active response capability that is contained in a single box

Case Study 1: Simple Network Infrastructure

-only one connection point to the Internet

-Divides network into three segments

  1. An external DMZ segment that is connected to the Internet
  2. A screened subnet that contains servers that are directly accessed by Internet-bases users or must directly access the Internet
  3. An internal segment that contains servers that typically aren’t directly connected to the Internet

-Deployment Recommendations

  1. all three IDS sensors deployed as in figure
  2. IDS 1 looks for any probes, scans, or attacks that are coming from the Internet
  3. IDS 2 shows you which malicious traffic got through the firewall to your internal network
  4. IDS 3 focuses on identifying attacks against your externally exposed boxes

Case Study 2: Multiple External Access Point

-multiple external points of access: a dedicated connection to the Internet, a dial-up modem bank for remote users, and multiple frame relay connections to remote offices and business partners

-Deployment Recommendation

  1. deploy network IDS sensors on both sides of firewalls and packet filters
  2. If you decide to deploy sensors for the external links that enter the firewall, and the firewall has several interfaces on separate network segment, you would probably want to deploy a sensor for each segment

Case Study 3: Unrestricted Environment

-University network three main groups: students, faculty and staff, and administration

-No firewall

-IDS Deployment

1. Protecting the administrative computers